diff options
author | Roberto Clapis <robclap8@gmail.com> | 2019-11-18 10:05:07 +0100 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2019-11-21 22:20:17 +0000 |
commit | 94e9a5e19b831504eca2b7202b78d1a48c4be547 (patch) | |
tree | 6ac7a10d3644bf3efa6b026f4eb9b817fa6b15b4 /src/html | |
parent | f4a8bf128364e852cff87cf404a5c16c457ef8f6 (diff) | |
download | go-94e9a5e19b831504eca2b7202b78d1a48c4be547.tar.gz go-94e9a5e19b831504eca2b7202b78d1a48c4be547.zip |
text/template: harden JSEscape to also escape ampersand and equal
Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.
This change makes it harder to introduce XSS by misusing
escaping.
Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.
Fixes #35665
Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martà <mvdan@mvdan.cc>
Diffstat (limited to 'src/html')
-rw-r--r-- | src/html/template/example_test.go | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go index 533c0dd961..9d965f1943 100644 --- a/src/html/template/example_test.go +++ b/src/html/template/example_test.go @@ -116,9 +116,9 @@ func Example_escape() { // "Fran & Freddie's Diner" <tasty@example.com> // "Fran & Freddie's Diner" <tasty@example.com> // "Fran & Freddie's Diner"32<tasty@example.com> - // \"Fran & Freddie\'s Diner\" \x3Ctasty@example.com\x3E - // \"Fran & Freddie\'s Diner\" \x3Ctasty@example.com\x3E - // \"Fran & Freddie\'s Diner\"32\x3Ctasty@example.com\x3E + // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E + // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E + // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E } |